In the ever-evolving landscape of mobile threats, a new player has emerged, aptly named Massiv. This Android banking Trojan, identified by our Mobile Threat Intelligence (MTI) team, is designed to blend seamlessly into the digital environment, masquerading as legitimate applications to evade detection. Its distribution method primarily involves side-loading, a technique that allows it to reach unsuspecting victims without raising alarms.
Massiv has been observed in targeted campaigns, primarily affecting users in southern Europe. Its capabilities are alarming; it enables operators to remotely control infected devices, facilitating Device Takeover attacks that can lead to unauthorized transactions from victims’ banking accounts. Notably, the Trojan often disguises itself as IPTV applications, preying on users seeking online television services.
Massiv Attacks
Equipped with a suite of features that enhance its effectiveness, Massiv stands out as a formidable threat. It employs overlay functionality to create deceptive screens that mimic legitimate applications, keylogging to capture sensitive information, and SMS/Push message interception to gather data from victims. This malware serves as a fully functional remote-control tool, granting operators direct access to the compromised devices.
Digital State is Opening Doors
Overlay attacks are a hallmark of Massiv’s operational strategy. By monitoring applications launched on infected devices, it can present a fake overlay when a targeted application is opened. This overlay prompts users to enter sensitive information, such as credentials and credit card details. One particularly concerning campaign involved the Portuguese government application gov.pt, which serves as a digital identity wallet. By targeting this application, criminals aim to gather personal information that could help them bypass Know Your Customer (KYC) verifications.
Furthermore, Massiv connects with Chave Móvel Digital, a Portuguese digital authentication system that allows citizens to securely access various online services, including banking. This connection opens the door for fraudsters to access victims’ banking accounts and execute fraudulent transactions.
Our research has uncovered instances where new accounts were opened in the names of victims at banks and services they had never used. These accounts, fully controlled by the fraudsters, can be exploited for money laundering and other illicit activities, leaving victims unaware and burdened with debts from accounts they did not authorize.
Taking Over the Device
Once Massiv has captured sensitive data through overlays and keylogging, it grants operators remote access to the infected device. Utilizing the FuncVNC class, the malware leverages Android’s AccessibilityService to establish a control channel that allows near real-time observation and manipulation of the device’s user interface.
Communication occurs over a WebSocket channel, facilitating both inbound commands and outbound data. Massiv supports two operational modes during remote control sessions: screen streaming and UI-tree mode. The screen streaming mode utilizes the MediaProjection API to share screen content, while UI-tree mode circumvents applications that protect against screen capture by constructing a JSON representation of the device’s interface elements.
- Visible text and content descriptions
- Class names of UI elements
- Screen coordinates (bounds)
- Interaction flags (clickable, editable, focused, enabled)
This structured interface model allows operators to identify specific buttons and input fields, understand layout positions, and automate interactions based on element attributes, significantly enhancing their control over the device.
The Scariest Movie You’ll Watch
Massiv’s disguise as an IPTV application is particularly troubling. These applications, often distributed outside the official Google Play Store, attract users seeking access to online TV services, including those that may infringe on copyright policies. Users accustomed to sourcing IPTV apps from unofficial channels may unwittingly install malware disguised as legitimate software.
In many observed cases, the malware dropper masquerading as an IPTV app does not contain malicious code initially. Instead, it opens a WebView to an IPTV website while the actual malware operates in the background, already installed on the device. This tactic has gained traction in recent months, with a noticeable increase in malware droppers posing as IPTV applications targeting users in Spain, Portugal, France, and Turkey.
Despite the rise of this masquerading technique, browser update notifications remain the most common method of deception, as they too appear innocuous to the average user.
Appendix
Indicators of Compromise
| SHA-256 | Package name | Application name |
| 54d4cb45fb7a18780ff2ccc7314b9b51ae446c58a179abbf9e62ce0c28539e8e | hobfjp.anrxf.cucm | Google Play |
| f9a52a923989353deb55136830070554db40f544be5a43534273126060f8c1f6 | hfgx.mqfy.fejku | IPTV24 |
Bot Commands
| Commands | Description |
| back | Perform Back global action |
| blackscreen | Enable black overlay, mute sounds and vibration |
| check | Send an update of device information |
| click | Perform click by coordinates |
| clipboard | Set clipboard with text |
| disableBlackscreen | Disable black screen |
| installApk | Download and install APK from the specified URL |
| inject | Show overlay for the specified package name |
| uninstallApp | Uninstall specified application |
